[PATCH v2 0/9] efi_loader: capsule: improve capsule authentication support

Heinrich Schuchardt xypron.glpk at gmx.de
Sun Aug 1 11:40:14 CEST 2021


On 7/27/21 11:10 AM, AKASHI Takahiro wrote:
> As I proposed and discussed in [1] and [2], I have made a couple of
> improvements on the current implementation of capsule update in this
> patch set.
>
> * add signing feature to mkeficapsule
> * add "--guid" option to mkeficapsule
> * add man page of mkeficapsule
> * add pytest for capsule authentication (on sandbox)
>
> NOTE:
> Due to Ilias's commit[3], we need to have a customized configuration
> for sandbox to properly set up and run capsule authentication test.
> See patch#5,#6 and #7.
>
> [1] https://lists.denx.de/pipermail/u-boot/2021-April/447918.html
> [2] https://lists.denx.de/pipermail/u-boot/2021-July/455292.html
> [3] commit ddf67daac39d ("efi_capsule: Move signature from DTB to
>      .rodata")


Dear Takahiro,

thanks for driving this topic. I have finished with my review and will
be waiting for v2.

Best regards

Heinrich

>
> Prerequisite patches
> ====================
> None
>
> Test
> ====
> * locally passed the pytest which is included in this patch series
>    on sandbox built.
>
> Todo
> ====
> * Confirm that the change in .gitlab-ci.yml works.
> * Azure support(?)
>
> Changes
> =======
> v2 (July 28, 2021)
> * rebased on v2021.10-rc*
> * removed dependency on target's configuration
> * removed fdtsig.sh and others
> * add man page
> * update the UEFI document
> * add dedicate defconfig for testing on sandbox
> * add gitlab CI support
> * add "--guid" option to mkeficapsule
>    (yet rather RFC)
>
> Initial release (May 12, 2021)
> * based on v2021.07-rc2
>
> AKASHI Takahiro (9):
>    tools: mkeficapsule: add firmwware image signing
>    tools: mkeficapsule: add man page
>    doc: update UEFI document for usage of mkeficapsule
>    efi_loader: ease the file path check for public key
>    test/py: efi_capsule: add image authentication test
>    sandbox: add config for efi capsule authentication test
>    GitLab: add a test rule for efi capsule authentication test
>    tools: mkeficapsule: allow for specifying GUID explicitly
>    test/py: efi_capsule: align with the syntax change of mkeficapsule
>
>   .gitlab-ci.yml                                |   6 +
>   MAINTAINERS                                   |   1 +
>   configs/sandbox_capsule_auth_defconfig        | 307 +++++++++++++++
>   doc/develop/uefi/uefi.rst                     |  31 +-
>   doc/mkeficapsule.1                            |  98 +++++
>   lib/efi_loader/Makefile                       |   5 +-
>   test/py/tests/test_efi_capsule/SIGNER.crt     |  19 +
>   test/py/tests/test_efi_capsule/SIGNER.esl     | Bin 0 -> 829 bytes
>   test/py/tests/test_efi_capsule/SIGNER.key     |  28 ++
>   test/py/tests/test_efi_capsule/SIGNER2.crt    |  19 +
>   test/py/tests/test_efi_capsule/SIGNER2.key    |  28 ++
>   .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
>   test/py/tests/test_efi_capsule/conftest.py    |  39 +-
>   .../test_capsule_firmware_signed.py           | 228 +++++++++++
>   tools/Kconfig                                 |   7 +
>   tools/Makefile                                |   8 +-
>   tools/mkeficapsule.c                          | 368 ++++++++++++++++--
>   17 files changed, 1129 insertions(+), 68 deletions(-)
>   create mode 100644 configs/sandbox_capsule_auth_defconfig
>   create mode 100644 doc/mkeficapsule.1
>   create mode 100644 test/py/tests/test_efi_capsule/SIGNER.crt
>   create mode 100644 test/py/tests/test_efi_capsule/SIGNER.esl
>   create mode 100644 test/py/tests/test_efi_capsule/SIGNER.key
>   create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.crt
>   create mode 100644 test/py/tests/test_efi_capsule/SIGNER2.key
>   create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
>



More information about the U-Boot mailing list